Attachment #9608 for bug #47391





	# ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Password-Hash from UCS: %s" % ucsNThash)

	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['pwdLastSet', 'unicodePwd', 'userPrincipalName', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])
	pwdLastSet = None
	if 'pwdLastSet' in s4_object_attributes:
		pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])
	objectSid = univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0])
	ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: pwdLastSet from S4 : %s" % pwdLastSet)
	# rid = None
	# if s4_object_attributes.has_key('objectSid'):
	# 	rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])

	pwd_set = False

	unicodePwd_attr = s4_object_attributes.get('unicodePwd', [None])[0]
	dBCSPwd_attr = s4_object_attributes.get('dBCSPwd', [None])[0]
	userPrincipalName_attr = s4_object_attributes.get('userPrincipalName', [None])[0]
	supplementalCredentials = s4_object_attributes.get('supplementalCredentials', [None])[0]
	msDS_KeyVersionNumber = s4_object_attributes.get('msDS-KeyVersionNumber', [0])[0]
	userPrincipalName_attr = s4_search_attributes.get('userPrincipalName', [None])[0]
	supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
	msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]
	# ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Password-Hash from S4: %s" % unicodePwd_attr)

	s4NThash = None

			return

	object = s4connector._object_mapping(key, ucs_object, 'ucs')
	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['pwdLastSet', 'unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])

	if s4connector.isInCreationList(object['dn']):
		s4connector.removeFromCreationList(object['dn'])

	if 'pwdLastSet' in s4_object_attributes:
		pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])
	ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: pwdLastSet from S4: %s (%s)" % (pwdLastSet, s4_object_attributes))
	objectSid = univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0])

	# rid = None
	# if s4_object_attributes.has_key('objectSid'):
	# 	rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])

	filter_expr = format_escaped('(objectSid={0!e})', objectSid)
	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])
	s4_search_attributes = res[0][1]

	unicodePwd_attr = s4_object_attributes.get('unicodePwd', [None])[0]
	if unicodePwd_attr:
		ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()

		lmPwd = ''
		dBCSPwd = s4_object_attributes.get('dBCSPwd', [None])[0]
		if dBCSPwd:
			lmPwd = binascii.b2a_hex(dBCSPwd).upper()

		supplementalCredentials = s4_object_attributes.get('supplementalCredentials', [None])[0]
		msDS_KeyVersionNumber = s4_object_attributes.get('msDS-KeyVersionNumber', [0])[0]

		ntPwd_ucs = ''
		lmPwd_ucs = ''
- 
pwdLastSet changed, even if the hashes didn't
--
.../modules/univention/s4connector/__init__.py          |  1 +
.../modules/univention/s4connector/s4/password.py       | 17 ++++++++++++-----
2 files changed, 13 insertions(+), 5 deletions(-)

(-)a/services/univention-s4-connector/modules/univention/s4connector/__init__.py (+1 lines)

Lines 1554-1559 class ucs:	Link Here

1554

				ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: old_s4_object: %s" % old_s4_object)

1554

				ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: old_s4_object: %s" % old_s4_object)

1555

				ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: new_s4_object: %s" % original_object['attributes'])

1555

				ud.debug(ud.LDAP, ud.INFO, "sync_to_ucs: new_s4_object: %s" % original_object['attributes'])

1556

				if old_s4_object:

1556

				if old_s4_object:

1557

					object['old_s4_object'] = old_s4_object

1557

					for attr in original_object['attributes']:

1558

					for attr in original_object['attributes']:

1558

						if old_s4_object.get(attr) != original_object['attributes'].get(attr):

1559

						if old_s4_object.get(attr) != original_object['attributes'].get(attr):

1559

							object['changed_attributes'].append(attr)

1560

							object['changed_attributes'].append(attr)

(-)a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py (-6 / +12 lines)

Lines 737-748 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru	Link Here

737

			# Append modification as well to modlist, to apply in one transaction

737

			# Append modification as well to modlist, to apply in one transaction

738

			if modifyUserPassword:

738

			if modifyUserPassword:

739

				modlist.append(('userPassword', userPassword_ucs, '{K5KEY}'))

739

				modlist.append(('userPassword', userPassword_ucs, '{K5KEY}'))

740

		else:

741

			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS")

742

743

		try:

744

			old_pwdLastSet = object['old_s4_object']['pwdLastSet'][0]

745

		except (KeyError, IndexError):

746

			old_pwdLastSet = None

740

747

748

		if pwdLastSet != old_pwdLastSet:

749

			ud.debug(ud.LDAP, ud.ALL, "password_sync_s4_to_ucs: updating shadowLastChange")

741

			# Update password expiry interval

750

			# Update password expiry interval

742

751

743

			# update shadowLastChange to now

752

			# update shadowLastChange to now

744

			old_shadowLastChange = ucs_object_attributes.get('shadowLastChange', [None])[0]

753

			old_shadowLastChange = ucs_object_attributes.get('shadowLastChange', [None])[0]

745

			new_shadowLastChange = str(long(time.time()) / 3600 / 24)

754

			pwdLastSet_unix = univention.s4connector.s4.s42unix_time(pwdLastSet)

755

			new_shadowLastChange = str(pwdLastSet_unix)

746

			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowLastChange to %s for %s" % (new_shadowLastChange, ucs_object['dn']))

756

			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowLastChange to %s for %s" % (new_shadowLastChange, ucs_object['dn']))

747

			modlist.append(('shadowLastChange', old_shadowLastChange, new_shadowLastChange))

757

			modlist.append(('shadowLastChange', old_shadowLastChange, new_shadowLastChange))

748

			# shadowMax (set to value of univentionPWExpiryInterval, otherwise delete)

758

			# shadowMax (set to value of univentionPWExpiryInterval, otherwise delete)

Lines 758-774 def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru	Link Here

758

				pwexp_value = pwexp.get('value', [None])[0]

768

				pwexp_value = pwexp.get('value', [None])[0]

759

				if pwexp_value:

769

				if pwexp_value:

760

					new_shadowMax = pwexp_value

770

					new_shadowMax = pwexp_value

761

					new_krb5end = time.strftime("%Y%m%d000000Z", time.gmtime((long(time.time()) + (int(pwexp_value) * 3600 * 24))))

771

					new_krb5end = time.strftime("%Y%m%d000000Z", pwdLastSet_unix + (int(pwexp_value) * 3600 * 24))))

762

			if old_shadowMax or new_shadowMax:

772

			if old_shadowMax or new_shadowMax:

763

				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowMax to %s for %s" % (new_shadowMax, ucs_object['dn']))

773

				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update shadowMax to %s for %s" % (new_shadowMax, ucs_object['dn']))

764

				modlist.append(('shadowMax', old_shadowMax, new_shadowMax))

774

				modlist.append(('shadowMax', old_shadowMax, new_shadowMax))

765

			if old_krb5end or new_krb5end:

775

			if old_krb5end or new_krb5end:

766

				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update krb5PasswordEnd to %s for %s" % (new_krb5end, ucs_object['dn']))

776

				ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: update krb5PasswordEnd to %s for %s" % (new_krb5end, ucs_object['dn']))

767

				modlist.append(('krb5PasswordEnd', old_krb5end, new_krb5end))

777

				modlist.append(('krb5PasswordEnd', old_krb5end, new_krb5end))

768

		else:

769

			ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: No password change to sync to UCS")

770

778

771

		if pwd_changed and (pwdLastSet or pwdLastSet == 0):

772

			newSambaPwdMustChange = sambaPwdMustChange

779

			newSambaPwdMustChange = sambaPwdMustChange

773

			if pwdLastSet == 0:  # pwd change on next login

780

			if pwdLastSet == 0:  # pwd change on next login

774

				newSambaPwdMustChange = str(pwdLastSet)

781

				newSambaPwdMustChange = str(pwdLastSet)

775

Return to bug 47391